So it’s 10pm, and I think I finally cracked it… thanks to this tutorial http://www.brianlegg.com/post/2011/05/09/Implementing-your-own-RoleProvider-and-MembershipProvider-in-MVC-3.aspx I suspect I have tied an MVC3 application to a small set of credential fields in an existing database table on SQL Server.. I need to get away from the bloat of the default SQL membership and role provider structures..
The next issue will be working out if the hash between the existing web based application that uses the table I have integrated with now and the hash of my one are compatible… I will leave that until tomorrow.
On a separate note a great presentation I saw on my iPad this week was from here http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/DEV333
where Adam Tuliper discusses web application security including some nice open source addons to make MVC less vulnerable to XSS attacks and SQL injection amongst other things. One thing that stood out as nice and simple, but essential was how easy he makes it to encrypt a section of web.config, see the screenshot from the video below. Essentially the first statement encrypts, and the second one will decrypt on the same machine, (the machine identifier is used in the algorithm so can’t be decrypted on another machine (unless you are uber cracker))..